b"         U.S. Department of Energy\n         Office of Inspector General\n         Office of Audits & Inspections\n\n\n\n\nAudit Report\n\nDepartment of Energy's Fiscal Year\n2012 Consolidated Financial\nStatements\n\n\n\n\nOAS-FS-13-04                       November 2012\n\x0c                                  Department of Energy\n                                    Washington, DC 20585\n\n                                       November 15, 2012\n\n\nMEMORANDUM FOR THE SECRETARY\n\nFROM:                    Gregory H. Friedman\n                         Inspector General\n\nSUBJECT:                 INFORMATION: Report on the Department of Energy's Fiscal Year\n                         2012 Consolidated Financial Statements\n\nPursuant to requirements established by the Government Management Reform Act of 1994, the\nOffice of Inspector General (OIG) engaged the independent public accounting firm of KPMG,\nLLP (KPMG) to perform the audit of the Department of Energy's (Department) Fiscal Year 2012\nConsolidated Financial Statements.\n\nKPMG audited the Department's consolidated balance sheets as of September 30, 2012 and\n2011, and the related consolidated statements of net cost, changes in net position, and custodial\nactivity, and combined statement of budgetary resources, for the years then ended. KPMG\nconcluded that these consolidated financial statements are presented fairly, in all material\nrespects, and in conformity with U.S. generally accepted accounting principles and has issued an\nunqualified opinion based on its audits and the reports of other auditors for the years ended\nSeptember 30, 2012 and 2011.\n\nAs part of this review, auditors also considered the Department's internal controls over financial\nreporting and tested for compliance with certain provisions of applicable laws, regulations,\ncontracts and grant agreements that could have a direct and material effect on the consolidated\nfinancial statements. The audit revealed certain deficiencies in internal control over financial\nreporting related to unclassified network and information systems security that were considered\nto be a significant deficiency. The following significant deficiency in the Department's system\nof internal controls is not considered a material weakness:\n\n   \xe2\x80\xa2   Unclassified Network and Information Systems Security: Network vulnerabilities and\n       weaknesses in access and other security controls in the Department's unclassified\n       computer information systems continue to exist. The Department has taken steps to\n       enhance its unclassified cyber security program, including oversight of cyber security\n       reform efforts, issuing guidance, and the development of a notational cyber security\n       management architecture framework to support the Department's mission-related risk\n       management approach.\n\nThe audit disclosed no instances of noncompliance or other matters that are required to be\nreported under applicable audit standards and requirements.\n\x0c                                                  2\n\nKPMG is responsible for the attached auditor's report and the opinions and conclusions\nexpressed therein. The OIG is responsible for technical and administrative oversight regarding\nKPMG's performance under the terms of the contract. Our review was not intended to enable us\nto express, and accordingly we do not express, an opinion on the Department's financial\nstatements, management's assertions about the effectiveness of its internal control over financial\nreporting or the Department's compliance with laws and regulations. Our monitoring review\ndisclosed no instances where KPMG did not comply with applicable auditing standards.\n\nI would like to thank each of the Department elements for their courtesy and cooperation during\nthe review.\n\nAttachment\n\ncc:   Deputy Secretary\n      Associate Deputy Secretary\n      Under Secretary for Nuclear Security\n      Acting Under Secretary of Energy\n      Office of the Under Secretary for Science\n      Acting Deputy Chief Financial Officer\n      Chief of Staff\n\n\n\n                                                            Audit Report: OAS-FS-13-04\n\n\n\nhttp://www.cfo.doe.gov/cf12/2012parAFR.pdf\n\x0c                                KPMG LLP\n                                Suite 12000\n                                1801 K Street, NW\n                                Washington, DC 20006\n\n\n\n\n                                         Independent Auditors\xe2\x80\x99 Report\n\n\nThe Inspector General, United States Department of Energy and\nThe Secretary, United States Department of Energy:\n\nWe have audited the accompanying consolidated balance sheets of the United States (U.S.) Department of\nEnergy (Department) as of September 30, 2012 and 2011, and the related consolidated statements of net\ncost, changes in net position, and custodial activity, and combined statements of budgetary resources\n(hereinafter referred to as \xe2\x80\x9cconsolidated financial statements\xe2\x80\x9d) for the years then ended. The objective of\nour audits was to express an opinion on the fair presentation of these consolidated financial statements. In\nconnection with our fiscal year 2012 audit, we also considered the Department\xe2\x80\x99s internal control over\nfinancial reporting and tested the Department\xe2\x80\x99s compliance with certain provisions of applicable laws,\nregulations, contracts, and grant agreements that could have a direct and material effect on these\nconsolidated financial statements.\n\nAs discussed in this report, a Power Marketing Administration of the Department, whose Department-\nrelated financial data is included in the accompanying consolidated financial statements, was audited by\nother auditors whose report has been furnished to us and was considered in forming our overall opinion on\nthe Department\xe2\x80\x99s consolidated financial statements.\n\nSummary\nAs stated in our opinion on the consolidated financial statements, based upon our audits and the report of\nthe other auditors, we concluded that the Department\xe2\x80\x99s consolidated financial statements as of and for the\nyears ended September 30, 2012 and 2011, are presented fairly, in all material respects, in conformity with\nU.S. generally accepted accounting principles.\n\nAs discussed in our Opinion on the Financial Statements, the Department changed its presentation for\nreporting the combined statements of budgetary resources in fiscal year 2012.\n\nOur opinion emphasizes that: (1) the Department has direct loans and loan guarantees issued under the\nFederal Credit Reform Act of 1990 and that subsidy costs of the loans and loan guarantees include interest\nrate differentials, delinquencies, defaults, fees, and other cash flow items; (2) the cost estimates supporting\nthe Department\xe2\x80\x99s environmental cleanup and disposal liabilities are based upon assumptions regarding\nfunding and other future actions and decisions, many of which are beyond the Department\xe2\x80\x99s control; and\n(3) the Department is involved as a defendant in several matters of litigation relating to its inability to\naccept commercial spent nuclear fuel by January 31, 1998, the date specified in the Nuclear Waste Policy\nAct of 1982, as amended.\n\nOur consideration of internal control over financial reporting resulted in identifying certain deficiencies\nrelated to unclassified network and information systems security that we consider to be a significant\ndeficiency, as defined in the Internal Control Over Financial Reporting section of this report.\n\nWe did not identify any deficiencies in internal control over financial reporting that we consider to be\nmaterial weaknesses as defined in the Internal Control Over Financial Reporting section of this report.\n                                KPMG LLP is a Delaware limited liability partnership,\n                                the U.S. member firm of KPMG International Cooperative\n                                (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cU.S. Department of Energy\nNovember 14, 2012\nPage 2 of 6\n\n\n\n\nThe results of our tests of compliance with certain provisions of laws, regulations, contracts, and grant\nagreements disclosed no instances of noncompliance or other matters that are required to be reported under\nGovernment Auditing Standards, issued by the Comptroller General of the United States, and Office of\nManagement and Budget (OMB) Bulletin Number (No.) 07-04, Audit Requirements for Federal Financial\nStatements, as amended.\n\nThe following sections discuss our opinion on the Department\xe2\x80\x99s consolidated financial statements; our\nconsideration of the Department\xe2\x80\x99s internal control over financial reporting; our tests of the Department\xe2\x80\x99s\ncompliance with certain provisions of applicable laws, regulations, contracts, and grant agreements; and\nmanagement\xe2\x80\x99s and our responsibilities.\n\nOpinion on the Financial Statements\nWe have audited the accompanying consolidated balance sheets of the United States Department of Energy\nas of September 30, 2012 and 2011, and the related consolidated statements of net cost, changes in net\nposition, and custodial activity, and the combined statements of budgetary resources for the years then\nended.\n\nWe did not audit the financial statements of the Bonneville Power Administration as of and for the years\nended September 30, 2012 and 2011, whose Department-related financial data reflect total assets\nconstituting 12.7 percent and 12.2 percent and total net costs constituting (0.5) percent and (0.6) percent,\nrespectively, of the related consolidated totals. Those financial statements were audited by other auditors\nwhose report has been furnished to us, and our opinion, insofar as it relates to the amounts included for the\nBonneville Power Administration, is based solely upon the report of the other auditors.\n\nIn our opinion, based on our audits and the report of the other auditors, the consolidated financial\nstatements referred to above present fairly, in all material respects, the financial position of the United\nStates Department of Energy as of September 30, 2012 and 2011, and its net costs, changes in net position,\nbudgetary resources, and custodial activity for the years then ended, in conformity with U.S. generally\naccepted accounting principles.\n\nAs discussed in Note 1.Q. to the consolidated financial statements, the Department changed its presentation\nfor reporting the combined statement of budgetary resources in fiscal year 2012, based on new reporting\nrequirements under OMB Circular No. A-136, Financial Reporting Requirements. As a result, the\nDepartment\xe2\x80\x99s combined statement of budgetary resources for fiscal year 2011 has been adjusted to conform\nto the current year presentation.\n\nAs discussed in Note 7 to the consolidated financial statements, the Department has total direct loans and\nloan guarantees, net, of $13 billion and $7 billion as of September 30, 2012 and 2011, respectively, which\nare issued under the Federal Credit Reform Act of 1990. Subsidy costs of the direct loans and loan\nguarantees are intended to estimate the long-term cost to the U.S. Government of its loan program and\ninclude interest rate differentials, delinquencies, defaults, fees, and other cash flow items. A subsidy re-\nestimate is performed annually at September 30. Any adjustment resulting from the re-estimate is\nrecognized as subsidy expense.\n\nAs discussed in Note 15 to the consolidated financial statements, the cost estimates supporting the\nDepartment\xe2\x80\x99s environmental cleanup and disposal liabilities of $268 billion and $251 billion as of\n\x0cU.S. Department of Energy\nNovember 14, 2012\nPage 3 of 6\n\n\n\n\nSeptember 30, 2012 and 2011, respectively, are based upon assumptions regarding funding and other future\nactions and decisions, many of which are beyond the Department\xe2\x80\x99s control.\n\nAs discussed in Note 18 to the consolidated financial statements, the Department is involved as a defendant\nin several matters of litigation relating to its inability to accept commercial spent nuclear fuel by January\n31, 1998, the date specified in the Nuclear Waste Policy Act of 1982, as amended. The Department has\nrecorded liabilities for likely damages of $20 billion and $19 billion as of September 30, 2012 and 2011,\nrespectively.\n\nU.S. generally accepted accounting principles require that the information in the Management\xe2\x80\x99s Discussion\nand Analysis, Required Supplementary Information, and Required Supplementary Stewardship Information\nsections be presented to supplement the basic consolidated financial statements. Such information,\nalthough not a part of the basic consolidated financial statements, is required by the Federal Accounting\nStandards Advisory Board who considers it to be an essential part of financial reporting for placing the\nbasic consolidated financial statements in an appropriate operational, economic, or historical context. We\nhave applied certain limited procedures to the required supplementary information in accordance with\nauditing standards generally accepted in the United States of America, which consisted of inquiries of\nmanagement about the methods of preparing the information and comparing the information for\nconsistency with management\xe2\x80\x99s responses to our inquiries, the basic consolidated financial statements, and\nother knowledge we obtained during our audits of the basic consolidated financial statements. We do not\nexpress an opinion or provide any assurance on the information because the limited procedures do not\nprovide us with sufficient evidence to express an opinion or provide any assurance.\n\nOur audits were conducted for the purpose of forming an opinion on the basic consolidated financial\nstatements as a whole. The September 30, 2012 consolidating information in the Consolidating Schedules\nsection of the Department\xe2\x80\x99s 2012 Agency Financial Report is presented for purposes of additional analysis\nand is not a required part of the basic consolidated financial statements. Such information is the\nresponsibility of management and was derived from and relates directly to the underlying accounting and\nother records used to prepare the basic consolidated financial statements. The September 30, 2012\nconsolidating information has been subjected to the auditing procedures applied in the audit of the basic\nconsolidated financial statements and certain additional procedures, including comparing and reconciling\nsuch information directly to the underlying accounting and other records used to prepare the basic\nconsolidated financial statements or to the basic consolidated financial statements themselves, and other\nadditional procedures in accordance with auditing standards generally accepted in the United States of\nAmerica. In our opinion, the September 30, 2012 consolidating information is fairly stated in all material\nrespects in relation to the basic consolidated financial statements as a whole. The information in the\nMessage from the Chief Financial Officer and Other Accompanying Information section of the\nDepartment\xe2\x80\x99s 2012 Agency Financial Report are presented for the purposes of additional analysis and are\nnot a required part of the basic consolidated financial statements. Such information has not been subjected\nto the auditing procedures applied in the audits of the basic consolidated financial statements, and\naccordingly, we do not express an opinion or provide any assurance on them.\n\nInternal Control Over Financial Reporting\nA deficiency in internal control exists when the design or operation of a control does not allow\nmanagement or employees, in the normal course of performing their assigned functions, to prevent, or\n\x0cU.S. Department of Energy\nNovember 14, 2012\nPage 4 of 6\n\n\n\n\ndetect and correct misstatements on a timely basis. A material weakness is a deficiency, or a combination\nof deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of\nthe entity\xe2\x80\x99s financial statements will not be prevented, or detected and corrected on a timely basis.\n\nOur consideration of internal control over financial reporting was for the limited purpose described in the\nResponsibilities section of this report and was not designed to identify all deficiencies in internal control\nover financial reporting that might be deficiencies, significant deficiencies, or material weaknesses. This\nreport also includes our consideration of the results of the other auditors\xe2\x80\x99 testing of internal control over\nfinancial reporting that are reported on separately by those auditors. However, this report, insofar as it\nrelates to the results of the other auditors\xe2\x80\x99 testing, is based solely on the report of the other auditors.\n\nIn our fiscal year 2012 audit, we did not identify any deficiencies in internal control over financial\nreporting that we consider to be material weaknesses, as defined above. However, we identified certain\ndeficiencies in internal control over financial reporting related to unclassified network and information\nsystems security, as described below and in more detail in Exhibit I that we consider to be a significant\ndeficiency in internal control over financial reporting. A significant deficiency is a deficiency, or a\ncombination of deficiencies, in internal control that is less severe than a material weakness, yet important\nenough to merit attention by those charged with governance.\n\n        \xe2\x80\xa2   Unclassified network and information systems security \xe2\x80\x93 We noted network vulnerabilities and\n            weaknesses in access and other security controls in the Department\xe2\x80\x99s unclassified computer\n            information systems. The identified weaknesses and vulnerabilities increase the risk that\n            malicious destruction or alteration of data or unauthorized processing could occur. The\n            Department should fully implement policies and procedures to improve its network and\n            information systems security.\n\nExhibit II presents the status of the prior year significant deficiency.\n\nWe noted certain additional matters involving internal control over financial reporting and internal control\nover financial management systems that we will report to management in separate letters.\n\nCompliance and Other Matters\nThe results of our tests of compliance as described in the Responsibilities section of this report, exclusive\nof those referred to in the Federal Financial Management Improvement Act of 1996 (FFMIA), disclosed no\ninstances of noncompliance or other matters that are required to be reported herein under Government\nAuditing Standards or OMB Bulletin No. 07-04, as amended. This report also includes our consideration of\nthe results of the other auditors\xe2\x80\x99 testing of compliance and other matters that are reported on separately by\nthe other auditors. However, this report, insofar as it relates to the results of the other auditors\xe2\x80\x99 testing, is\nbased solely on the report of the other auditors.\n\nThe results of our tests of FFMIA disclosed no instances in which the Department\xe2\x80\x99s financial management\nsystems did not substantially comply with the (1) Federal financial management systems requirements, (2)\napplicable Federal accounting standards, and (3) the United States Government Standard General Ledger at\nthe transaction level.\n\n                                                  *******\n\x0cU.S. Department of Energy\nNovember 14, 2012\nPage 5 of 6\n\n\n\n\nResponsibilities\nManagement\xe2\x80\x99s Responsibilities. Management is responsible for the consolidated financial statements;\nestablishing and maintaining effective internal control over financial reporting; and complying with laws,\nregulations, contracts, and grant agreements applicable to the Department.\n\nAuditors\xe2\x80\x99 Responsibilities. Our responsibility is to express an opinion on the fiscal year 2012 and 2011\nconsolidated financial statements of the Department based on our audits and the report of the other\nauditors. We conducted our audits in accordance with auditing standards generally accepted in the United\nStates of America; the standards applicable to financial audits contained in Government Auditing\nStandards, issued by the Comptroller General of the United States; and OMB Bulletin No. 07-04, as\namended. Those standards and OMB Bulletin No. 07-04, as amended, require that we plan and perform the\naudits to obtain reasonable assurance about whether the consolidated financial statements are free of\nmaterial misstatement. An audit includes consideration of internal control over financial reporting as a\nbasis for designing audit procedures that are appropriate in the circumstances, but not for the purpose of\nexpressing an opinion on the effectiveness of the Department\xe2\x80\x99s internal control over financial reporting.\nAccordingly, we express no such opinion.\n\nAn audit also includes:\n\n\xe2\x80\xa2     Examining, on a test basis, evidence supporting the amounts and disclosures in the consolidated\n      financial statements;\n\xe2\x80\xa2     Assessing the accounting principles used and significant estimates made by management; and\n\xe2\x80\xa2     Evaluating the overall consolidated financial statement presentation.\n\nWe believe that our audits and the report of the other auditors provide a reasonable basis for our opinion.\n\nIn planning and performing our fiscal year 2012 audit, we considered the Department\xe2\x80\x99s internal control\nover financial reporting by obtaining an understanding of the Department\xe2\x80\x99s internal control, determining\nwhether internal controls had been placed in operation, assessing control risk, and performing tests of\ncontrols as a basis for designing our auditing procedures for the purpose of expressing our opinion on the\nconsolidated financial statements, but not for the purpose of expressing an opinion on the effectiveness of\nthe Department\xe2\x80\x99s internal control over financial reporting. Accordingly, we do not express an opinion on\nthe effectiveness of the Department\xe2\x80\x99s internal control over financial reporting. Furthermore, we did not test\nall controls relevant to operating objectives as broadly defined by the Federal Managers\xe2\x80\x99 Financial\nIntegrity Act of 1982.\n\nAs part of obtaining reasonable assurance about whether the Department\xe2\x80\x99s fiscal year 2012 consolidated\nfinancial statements are free of material misstatement, we performed tests of the Department\xe2\x80\x99s compliance\nwith certain provisions of laws, regulations, contracts, and grant agreements, noncompliance with which\ncould have a direct and material effect on the determination of the consolidated financial statement\namounts, and certain provisions of other laws and regulations specified in OMB Bulletin No. 07-04, as\namended, including the provisions referred to in Section 803(a) of FFMIA. We limited our tests of\ncompliance to the provisions described in the preceding sentence, and we did not test compliance with all\nlaws, regulations, contracts, and grant agreements applicable to the Department. However, providing an\n\x0cU.S. Department of Energy\nNovember 14, 2012\nPage 6 of 6\n\n\n\n\nopinion on compliance with laws, regulations, contracts, and grant agreements was not an objective of our\naudit and, accordingly, we do not express such an opinion.\n\n                                   ______________________________\n\nThe Department\xe2\x80\x99s written response to the findings identified in our audit and presented in Exhibit I was not\nsubjected to the auditing procedures applied in the audit of the Department\xe2\x80\x99s consolidated financial\nstatements and, accordingly, we express no opinion on it.\n\nThis report is intended solely for the information and use of the Department\xe2\x80\x99s management, the\nDepartment\xe2\x80\x99s Office of Inspector General, OMB, the U.S. Government Accountability Office, and the U.S.\nCongress and is not intended to be and should not be used by anyone other than these specified parties.\n\n\n\n\nNovember 14, 2012\n\x0cIndependent Auditors\xe2\x80\x99 Report\nExhibit I \xe2\x80\x93 Significant Deficiency\n\n\n\n\n                       Unclassified Network and Information Systems Security\n                      (Finding numbers reported in separate management letter)\n\n\nThe United States Department of Energy (the Department or DOE) uses a series of interconnected\nunclassified networks and information systems. Federal and Departmental directives, included in DOE\nOrder 205.1B, Department of Energy Cyber Security Program, require the establishment and maintenance\nof security over unclassified information systems, including financial management systems. Past audits\nidentified significant weaknesses in selected systems and devices attached to the computer networks at\nsome Department sites. The Department has implemented corrective actions to address many of the\nidentified weaknesses at the sites whose security controls we, and the Department\xe2\x80\x99s Office of Health,\nSafety and Security, reviewed in prior years. However, at the time of our testing, these corrective actions\nhad not been completed. The frequency of network security weaknesses reported by KPMG has decreased\nwhen compared to the prior year weaknesses, but remains slightly higher than fiscal year (FY) 2010. The\nseverity of these weaknesses remains consistent with prior year weaknesses. The Department recognizes\nthe need to enhance its unclassified cybersecurity program and has categorized unclassified cybersecurity\nas a leadership challenge in its Federal Managers' Financial Integrity Act assurance statement for FY\n2012. Improvements are still needed in the areas of system and application access and related access\nprivileges, password management, configuration and vulnerability management, restriction of network\nservices, and integrity of web applications.\n\nOur FY 2012 audit disclosed information system security deficiencies similar in type and risk level to our\nfindings in prior years. We identified similar weaknesses at sites where we had not reviewed security\ncontrols in the prior year. Specifically, we noted weaknesses within layered security controls for network\nservers and devices, desktop systems and business applications. We identified multiple instances of easily\nguessed login credentials or unrestricted access controls on network systems that could permit unauthorized\naccess to those systems and their data. We also found weak account management and monitoring controls\nfor review, approval, provisioning and termination of administrative and user accounts that may increase\nthe risk of malicious or unauthorized access to systems and data.\n\nIn the area of configuration and vulnerability management, we identified deficiencies in the patch\nmanagement process for timely and secure installation of critical software patches, with numerous\ninstances in which security patches had not been applied to correct known vulnerabilities more than three\nmonths after the patches became available. The affected systems included workstations used by financial\napplication users and system administrators with privileged levels of access to financial systems and other\nnetwork systems. We also noted numerous weaknesses in web application integrity as a result of design\nflaws in those applications. We identified web applications that did not properly validate the form or\ncontent of input data against an application\xe2\x80\x99s database, which could result in unauthorized access to\napplication functionality, sensitive data stored in the applications, and other network systems and\napplications.\n\nWhile many of these cybersecurity weaknesses were corrected immediately after we identified and reported\nthem to site management, deficiencies in the process and procedures for identifying, monitoring and\nremediating such deficiencies have continued from prior years. We also identified inconsistent risk\nmanagement practices at several sites and noted that site management had not established a risk acceptance\nprocess to fully document acceptance of risk. We further noted that multiple sites were continuing to\n\x0cdevelop and implement site-level Implementation Plans in accordance with the Department\xe2\x80\x99s Risk\nManagement Approach (RMA) to address these weaknesses. However, these risk management\nenhancements were incomplete at the time of our testing.\n\nThe Department\xe2\x80\x99s Office of Inspector General (OIG) reported on these deficiencies in its evaluation report\non The Department\xe2\x80\x99s Unclassified Cyber Security Program - 2012, dated November 2012. The OIG noted\nthat identified weaknesses occurred, in part, because Departmental entities had not ensured that\ncybersecurity requirements were fully developed and implemented. The OIG reported that programs and\nsites had not always effectively monitored performance to ensure that appropriate controls were in place.\nThe OIG noted that the Department\xe2\x80\x99s Plans of Action and Milestones were not always effectively used to\nreport, prioritize and track cybersecurity weaknesses through remediation. The OIG also reported\ndeficiencies in physical and logical access controls and configuration management at several sites where,\neven when policies and procedures were established, implementation of those policies and procedures were\nnot aligned with the Federal requirements.\n\nThe identified vulnerabilities and control weaknesses in unclassified network and information systems\nincrease the possibility that malicious destruction or alteration of data or unauthorized processing could\noccur. Because of our concerns, we performed supplemental procedures and identified compensating\ncontrols that mitigate the potential effect of these security weaknesses on the integrity, confidentiality and\navailability of data in the Department\xe2\x80\x99s financial applications.\n\nDuring FY 2012, the Department had taken steps to enhance its unclassified cybersecurity program under\nthe collaborative leadership of the DOE Information Management Governance Council (IMGC) and IMGC\nWorking Group. The Joint Cybersecurity Coordination Center (JC3) Governance Model was approved in\nMay 2012 to implement the requirements of DOE Order 205.1B related to continuous monitoring and risk\nmanagement. The Department also continued ongoing efforts to improve awareness of Cybersecurity\ninitiatives, including role-based training and workforce development, and to promote effective channels of\ncommunication and collaboration.\n\nRecommendation:\n\nWhile progress has been made, continued efforts are needed to effectively manage the evolving nature of\ncybersecurity threats, including strengthening the management review process and monitoring of field sites\nto ensure the adequacy of cybersecurity program performance; fully implementing revised and ongoing risk\nmanagement processes; and expanding the use of automated tools in the resolution of the vulnerabilities\nand control weaknesses described above to ensure that systems are properly configured, implemented and\nupdated throughout the lifetime of those systems.\n\nTherefore, we recommend that the Under Secretary for Nuclear Security, Under Secretary of Energy, and\nUnder Secretary for Science, in coordination with the Department and National Nuclear Security\nAdministration (NNSA) Chief Information Officers, fully implement policies and procedures to meet\nFederal cybersecurity standards, protect networks and information systems against unauthorized access,\nand implement an adequate performance monitoring program, such as the use of periodic evaluations by\nHeadquarters management, to improve the effectiveness of sites\xe2\x80\x99 cybersecurity program implementation.\nDetailed recommendations to address the issues discussed above have been separately reported to the\ncognizant management officials.\n\x0cManagement\xe2\x80\x99s Response:\n\nThe Department of Energy\xe2\x80\x99s Chief Information Officer (CIO) appreciates the opportunity to comment on\nthe OIG\xe2\x80\x99s recognition of the Department\xe2\x80\x99s continued progress in addressing weaknesses and enhancing its\nunclassified cybersecurity program. The information in this report will enable the Department to take\nappropriate follow-up action on specific findings, as well as to continue to work in the most effective way\nto improve the Department\xe2\x80\x99s cybersecurity posture.\n\nThroughout FY 2013, the Department will continue to enhance policies and procedures that define and\nimplement the cybersecurity program and maintain the risk management approach.\n\x0cIndependent Auditors\xe2\x80\x99 Report\nExhibit II \xe2\x80\x93 Status of Prior Year Significant Deficiency\n\n\n\n\n     Fiscal Year 2011 Significant Deficiency                  Status at September 30, 2012\n\nUnclassified Information Systems Security           Not fully implemented \xe2\x80\x93 Unclassified network and\n                                                    information systems security issues continue to be\n                                                    reported in Exhibit I as a significant deficiency.\n\x0c                                                                  IG Report No. OAS-FS-13-04\n\n                           CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We wish to make our reports as responsive as possible to our customers' requirements,\nand, therefore, ask that you consider sharing your thoughts with us. On the back of this form,\nyou may suggest improvements to enhance the effectiveness of future reports. Please include\nanswers to the following questions if applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding this\n   report?\n\n2. What additional information related to findings and recommendations could have been\n   included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report's overall\n   message more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the issues\n   discussed in this report that would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should we have\n   any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at\n(202) 586-0948, or you may mail it to:\n                             Office of Inspector General (IG-1)\n                                     Department of Energy\n                                    Washington, DC 20585\n\n                                  ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact our office at (202) 253-2162.\n\x0cThis page intentionally left blank.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly\nand cost effective as possible. Therefore, this report will be available electronically through the\n                                Internet at the following address:\n\n              U.S. Department of Energy Office of Inspector General Home Page\n                                    http://energy.gov/ig\n\n  Your comments would be appreciated and can be provided on the Customer Response Form.\n\x0c"